Help: Old Employees Accessing The Linux Server

I've recently noticed that two of my former employees are still accessing one of our Linux box. Old user account wasn't deleted because it has some important files. How do I make sure account get deleted without losing files and email stored in the account? Can you describe a terminations clearance policy for an employee account including email accounts, forwarding aliases, ssh / ftp, and access to vpn dialup services under Red Hat Enterprise Linux server?

Laid-off employee may seek revenge so delete and disable all unwanted account. When an employee leaves you can immediately lock down shell access by typing the following command:

passwd -l username

The -l option disables an account by changing the password to a value which matches no possible encrypted value, and by setting the account expiry field to 1. This make sure he / she cannot get into server. You can delete a user account without removing any files as follows:

# userdel username You can also tell userdel to remove the user's home directory and all of its contents:# userdel -r username Files in the user' s home directory will be removed along with the home directory itself and the user´s mail spool. Files located in other file systems will have to be searched for and deleted manually. Additional cleanup work is is left to the administrator.

Recommend Procedure To Delete User Account

The following is recommend procedure. Linux and UNIX server accounts are maintained as long as the owner is affiliated with you or your business. Generally, users or employees who leave for one reason or another will eventually lose their accounts and data. However, please consult your legal or HR department regarding local laws and privacy policy laws.

#1: Deactivate the account

#2: Scan For rootkits

Scan file for virus, bad stuff and rootkits. Try chkrootkit and rkhunter software for scanning rootkits. If user accessing Linux file server via Windows or Mac operating system, use Microsoft / Mac os tools and anti-virus software to scan files. The ClamAV virus scanner is available and may be used to scan Linux / Unix file systems for viruses which infect other operating systems. Some employees leave rootkits and virus for backdoor entry. This is critical before you make a backup of existing data.

#3: Backup Data

Usually, you need to backup:

Home directory

Email box

FTP directory

Cron jobs

Webserver files

CVS files

MySQL / PGSQL database etc

Just create a tarball of home directory, cron jobs, and mailbox at safe location in another directory:

#4: List Files In Other Directories

User may have left files in other directories. Type the following command to get a complete list of files owned by user vivek:# find / -user vivek -print0 > /root/viveksfiles.txt 2>/root/error.log & You can backup those files or simply change their ownership using find command itself. Removes all files owned by the user from /tmp, /var/tmp, and other tmp locations.

Delete User Account

Finally, you can delete the user account and all files:# userdel -r $user Make sure you removed the username from all groups to which it belongs in /etc/group.

#5: Removes The User's Crontab

#6: Removes The User's at Jobs

Type atq command to lists the user's pending jobs, unless the user is the superuser; in that case, everybody's jobs are listed. The format of the output lines:# atq | less # atq > /path/to/safe/delete_accounts/user/at.bak # atrm jobid

#7: Delete All Process

You need to send a SIGKILL (-9) signal to all processes owned by the user. For example, send -KILL single to all process owned by vivek use the following commands. Get detailed inforation about running process:# ps -fp $(pgrep -u vivek) Get all PIDS:# pgrep -u vivek # pkill -9 -u vivek pid1 pid2 OR# killall -KILL -u vivek

#8: Disable Email Login

Configure your email server to forward or deny access to email box. Usually, this is done by editing mysql or LDAP database files. Removes the incoming mail (postfix or sendmail) and POP / IMAP daemon mail files belonging to the user from /var/mail or /var/spool/mail.

Fig.01: Postfix - Disable Email Box Using Postfixadmin

You can also forward incoming email or simply delete mailbox with Postfixadmin.

#9: Disable Proxy Server and VPN Remote Login

#10: Files and Emails

Generally, any files or email left on a system can be turned over to employees supervisor if necessary.

#11: Dealing With Root Level Access

If former employee had root access you may need to look out for the following additional things:

Trojans.

Hidden kernel backdoor modules.

Rootkits.

Cron and at jobs can be to run arbitrary shell scripts or give back root level access again.

.forward file can be to run arbitrary shell scripts.

Unwanted and hidden network services.

SSH password less remote login keys etc.

Unwanted SUID/SGID binaries.

Iptables firewalls settings.

Removes all message queues, shared memory segments and semaphores owned by the user.

Use Identity Manager Software

Third party identity manager software can easily enable and disable access to many services. You can configure various policies based on users employment status or weekend login policy etc using an automated provisioning software.

Automation

You can write a perl or shell script to automate the entire procedure to disable access to user account and backup files / emails in other safe location.

I personally would recommend not to delete a user’s account using userdel, since it is possible that the same UID may be used again for a newly added employee. Even if you have searched and changed ownership of all files owned by the user, there still could be files you have missed, leaving a potential security risk.

What of reporting and legacy programs that look for that UID. Or any daemon starting itself as that user, especially if that person is a DBA you can suddenely discover Cron jobs stop running because user does not exist.

Honestly I would change their password and set their shell to /bin/false. From there interrogate any web service and look for old accounts.